CWE-608: Struts: Non-private Field in ActionForm Class
An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-608: Struts: Non-private Field in ActionForm Class?+
CWE-608: Struts: Non-private Field in ActionForm Class is a Common Weakness Enumeration (CWE) entry maintained by MITRE. An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.
What are the security consequences of Struts: Non-private Field in ActionForm Class?+
If exploited, CWE-608 (Struts: Non-private Field in ActionForm Class) it can compromise Integrity and Confidentiality, leading to outcomes such as Modify Application Data and Read Application Data.
Which programming languages are affected by Struts: Non-private Field in ActionForm Class?+
CWE-608 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-608 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.